CITY OF BOULDER *** POLICIES AND PROCEDURES

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CITY OF BOULDER *** POLICIES AND PROCEDURES"

Transcription

1 CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9

2 Table of Contents 1. INTRODUCTION POLICY...3 A. Acceptable Use / Allowed Services...3 A.1 Overview...3 A.2 Policy...3 B. Personnel Background Screening...3 B.1 Overview...3 B.2 Policy...3 B.3 Requirement...4 C. Remote Access...4 C.1 Overview...4 C.2 Policy...4 C.3 Requirements...4 D. Authentication...5 D.1 Overview...5 D.2 Policy...5 D.3 Requirements...5 E. Virus Protection...6 E.1 Overview...6 E.2 Policy...6 E.3 Requirements...6 F. Ongoing Vigilance...6 F.1 Overview...6 F.2 Policy...6 F.3 Requirements...6 G. Documentation...7 G.1 Overview...7 G.2 Policy...7 H. Managing Software Patches and Upgrades...7 H.1 Overview...7 H.2 Policy...7 H.3 Requirements...7 I. External Connections...7 I.1 Overview...7 I.2 Policy...7 I.3 Requirements...8 J. Non-City-Owned Equipment...8 J.1 Overview...8 J.2 Policy...8 J.3 Requirement...8 K. Account Types...8 K.1 Overview...8 K.2 Policy...8 K.3 Procedure DISCIPLINARY ACTION CONSTRUCTION AND INTERPRETATION REVIEW AND REVISION...9 CONNECTED PARTNER SECURITY POLICY PAGE 2 OF 9

3 1. INTRODUCTION The City of Boulder s holistic approach to information technology security extends to partners and affiliates with access to the City of Boulder network and other City resources. This document details the City s policy on security awareness and compliance as it relates to its partners and affiliates. This policy has been developed in an effort to support the City s business objectives and as a way to reduce losses associated with intentional or accidental information disclosure, modification, destruction, or denial of service. All partners/affiliates are responsible for knowing and complying with all components of this policy. Questions about the policy should be directed to the City of Boulder IT Department. 2. POLICY A. Acceptable Use / Allowed Services A.1 Overview This policy component outlines acceptable use of City of Boulder computing resources, including resources that are owned, leased, or used by the City. A.2 Policy A.2.1: Use of City systems and resources for personal use by partners/affiliates is not permitted. A.2.2: There should be no expectation of privacy when using the City s network. The City of Boulder reserves the right to access, retrieve, read and disclose any data, messages or files stored on City of Boulder-funded systems for any purpose. The City of Boulder reserves the right to monitor use of these systems to prevent abuse, enforce other policies, and access information. Access may occur in, but is not limited to, situations indicating: (1) impropriety, (2) violation of City of Boulder policy, (3) legal requirements, (4) suspected criminal activities, or (5) breach of system security. The contents of these systems may be disclosed by City of Boulder Management within or outside of the City of Boulder without partner/affiliate permission. Furthermore all communications, including text and images, may be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver. The City of Boulder has unlimited access to protect the security of these systems or the City of Boulder s property rights. A.2.3: Recognizing that technology processes are constantly changing, for any current or future technology-related issues not explicitly covered by this policy, partners/affiliates should act in the spirit of this policy. Any questions should be directed to the City of Boulder IT Director. B. Personnel Background Screening B.1 Overview Personnel with administrator-level access to City of Boulder Police Department computer systems often have unlimited access to view and/or modify the information contained in those systems. As such, the criminal backgrounds of these personnel are relevant to any decision to grant them administrator-level system access. B.2 Policy All City of Boulder partners/affiliates must pass a fingerprint-based criminal background record check before being permitted access to any City of Boulder Police Department computer systems (whether servers, CONNECTED PARTNER SECURITY POLICY PAGE 3 OF 9

4 networking equipment, or client workstations) at an administrator-equivalent level. In cases where a criminal history is found, access will be permitted or denied by decision of the individual s supervisor or sponsor in consultation with the IT Department Director and representatives from the HROE Department, Police Department, or City Attorney s Office as appropriate. B.3 Requirement B.3.1: Any City of Boulder partner/affiliate requiring administrator-level access to any City of Boulder Police Department computer system must be fingerprinted by the City of Boulder Police Department. Fingerprints and other necessary personal information from this individual must be analyzed by appropriate law enforcement agencies to assess the criminal background of the individual. Sufficient information on the results of this background check must be provided to the individual s supervisor or sponsor to allow an informed decision on appropriate computer system access. C. Remote Access C.1 Overview The purpose of this section of the policy is to define standards for connecting to the City of Boulder's network from remote locations. These standards are designed to minimize the potential exposure to the City from damages that may result from unauthorized use of City resources. Damages may include the loss of sensitive or City confidential data, damage to public image, or damage to critical City of Boulder internal systems. Remote access implementations that are covered by this policy include, but are not limited to, dial-in or cable modems, other leased-line services, VPN, and wireless. C.2 Policy Only individuals with specific business need may be granted remote access to the City of Boulder network. Requests for remote access must be approved by the IT Department following completion and submission of a Remote Access Request Approval form. It is the responsibility of City of Boulder partners/affiliates with remote access privileges to the City network to ensure that their remote access connection is given the same consideration as an on-site connection to the City network. C.3 Requirements C.3.1: At no time may City of Boulder partners/affiliates provide their remote login information to anyone. C.3.2: Nonstandard remote access modes, hardware, or configurations must be approved by the City of Boulder IT Department. C.3.3: All computers that are connected to City of Boulder networks via remote access channels must use antivirus software in accordance with the Virus Protection policy section of this document. C.3.4: All remote access with designated time limits will only be available during the specified times. Any changes to the scope of remote access time requires the approval of the City of Boulder IT Department. C.3.5: Any violations of these guidelines may result in the termination of the remote access channel. CONNECTED PARTNER SECURITY POLICY PAGE 4 OF 9

5 D. Authentication D.1 Overview As the front line of protection for user accounts, passwords are an important aspect of IT security. A poorly chosen password may result in the unexpected compromise of elements of the City of Boulder's network. As such, all City of Boulder partners/affiliates with access to City of Boulder systems are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. D.2 Policy D.2.1: All partner/affiliate accounts with the City of Boulder must have a password. D.2.2: All system-level passwords (e.g., root, enable, administrator, application administration accounts, etc.), including major application and database administrative passwords, must be changed on at least a quarterly basis. D.2.3: All user-level passwords (e.g., , web, desktop computer, etc.) on systems that allow partners/affiliates to independently change the password must be changed at least every 120 days. D.2.4: Passwords must not be inserted into unencrypted messages. D.2.5: All passwords must conform to the requirements described below. D.3 Requirements D.3.1 General Password Construction Standards Acceptable passwords have the following characteristics: D.3.1.1: Contain both upper and lower case characters (e.g., a-z, A-Z). D.3.1.2: Have digits and punctuation characters as well as letters e.g., ~- =\`{}[]:";'<>?,./). D.3.1.3: Are at least eight alphanumeric characters long. D.3.1.4: Are not a word in any language, slang, dialect, jargon, etc. D.3.1.5: Are not based on personal information, names of family, etc. D.3.1.6: Are easily remembered by the user. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: This May Be One Way To Remember and the password could be: TmB1w2R! or Tmb1W>r~ or some other variation. D.3.2 Password Protection Standards D.3.2.1: Partners/affiliates must not have the same password for City of Boulder accounts as for non-city of Boulder accounts (e.g., personal ISP account, benefits, etc.). D.3.2.2: Partners/affiliates must not share City of Boulder passwords with anyone. All passwords are to be treated as sensitive, confidential information. D.3.2.3: If an account or password is suspected to have been compromised, the incident must be reported to the City of Boulder IT Department and the password changed. CONNECTED PARTNER SECURITY POLICY PAGE 5 OF 9

6 E. Virus Protection E.1 Overview Viruses, worms, and Trojan horses are designed to infect, control, and damage computers and networks. They are discovered daily, and each is designed to serve a unique function or purpose. Viruses can spread from a disk, over the network, via , or in a file, and they can do anything to a system from changing or deleting files to attacking other systems. The purpose of this virus protection policy is to minimize the risk of these types of threats to the City of Boulder and its partners/affiliates. E.2 Policy Virus protection software must be installed and maintained on all systems connected to the City of Boulder network. E.3 Requirements E.3.1: Virus protection software must be installed and maintained on all systems. E.3.2: Virus protection software updates must be downloaded and installed as they become available. E.3.3: Virus protection software must be configured to scan for viruses in real time. F. Ongoing Vigilance F.1 Overview The overall security of the City of Boulder requires daily attention from every member of the staff, including partners/affiliates. The most important thing partners/affiliates can do for the City s computer security is to remain vigilant and aware of security issues. F.2 Policy All users of City of Boulder computing resources are responsible for being alert to possible system security compromises. F.3 Requirements In the City of Boulder environment, partners/affiliates should consider the following as examples of suspicious activities: F.3.1: Anyone asking for their own password or authentication credentials F.3.2: Unexpected, significant changes in performance, response time, or usability F.3.3: Unusual or inconsistent log entries CONNECTED PARTNER SECURITY POLICY PAGE 6 OF 9

7 G. Documentation G.1 Overview Documentation is one of the most critical ingredients in security. It provides a baseline for identifying changes and a tool for debugging problems. As a necessary tool for building a secure network environment, it should be a high priority. G.2 Policy Partners/affiliates must document with designated City IT staff all activities relating to City resources, including but not limited to installations, upgrades, patches, configuration changes, application installations/removals, and service activations/deactivations. H. Managing Software Patches and Upgrades H.1 Overview Because software vendors release so many security-related patches and upgrades, it is essential that they be addressed in a timely, professional manner to ensure the overall security of the computing environment. H.2 Policy All systems connecting to the City of Boulder network must be patched to current levels. H.3 Requirements H.3.1: Only patches from verified, known, reputable sources should be applied to systems. H.3.2: Regular auditing of patch compliance may be conducted to ensure proper policy compliance and system integrity. I. External Connections I.1 Overview External connections between the City of Boulder network and those of third parties are sometimes necessary to facilitate effective business communications between organizations. It is possible to deploy them in such a way that they present only a minimum amount of security risk to the organization, but care must be taken to ensure this is the case. I.2 Policy All external connections to the City of Boulder network shall be implemented on a case-by-case basis and must be approved by the Assistant Director of Network Services. No external connections are allowed on even an ad hoc or temporary basis without approval from the Assistant Director of Network Services after careful consideration of the security impact. CONNECTED PARTNER SECURITY POLICY PAGE 7 OF 9

8 I.3 Requirements I.3.1: When approved, access through external connections should be limited to only those resources that are absolutely necessary to meet the business need. I.3.2: Third parties must notify the City of Boulder of employment status changes of personnel who utilize the external connection. Adequate steps should be taken by both the City of Boulder and the third party to revoke any access to unauthorized personnel. I.3.3: External connections should be approved for a limited (possibly renewable) time period, such as six months or a year, so their purpose and necessity can be re-evaluated on a regular basis. J. Non-City-Owned Equipment J.1 Overview When equipment that the City does not own is attached to the City network it must be secure to the same degree that City-owned equipment is secure and adhere to this policy. This protects both the equipment owner and the City from a security breach resulting from previous misconfiguration or violation. J.2 Policy All non-city-owned equipment must conform to the same requirements as City-owned equipment as outlined in this policy prior to being connected to the network by any means J.3 Requirement J.3.1: Non-city-owned equipment must comply with the requirements in all sections of this policy. K. Account Types K.1 Overview Vendors needing access to systems on the City of Boulder network will adhere to the following policy that establishes what type of account is appropriate for the vendor. If a vendor is determined to need access, it will have one of two types of access: individual accounts or shared accounts. K.2 Policy City of Boulder s preferred method of providing vendors with access for remote support is through individually identifiable accounts, particularly in the case where administrative rights are required. If a vendor has dedicated technicians that will provide support, they need to have their own accounts. If a vendor has a pool of 10 or more technicians that might or might not provide remote support, and that don t promote code in the City of Boulder environment, City of Boulder will consider letting the vendor use one account, based on the following procedures: K.3 Procedure K.3.1 Vendors with Individual Accounts Individual accounts are those accounts that are associated with a particular person. For example, vendor X will have multiple accounts associated with it, one for each person that will need access to the City of Boulder network. CONNECTED PARTNER SECURITY POLICY PAGE 8 OF 9

9 K.3.1.1: If any of the following conditions are met, the vendor must use individual accounts: K : Vendor provides eight or more hours of support in a month K : Vendor promotes code in the City of Boulder environment K : Vendor has a pool of less than 10 technicians that might provide support K.3.1.2: Vendor requirements: L : Signed user security policy agreements each individual receiving access L : Agreement that in the event a vendor employee is terminated City of Boulder will be notified and the password will be changed within 24 hours K.3.2 Vendors with Shared Accounts Shared Accounts are those accounts that are used by multiple individuals. In this case, there is one account associated with a vendor for all people requiring access to the City of Boulder network. If none of the Individual Account conditions apply, then a vendor may elect to have a shared account. K Vendor requirements: K : User security policy agreement signed by a supervisor within the vendor company K : Demonstrated ability and willingness to provide in a timely manner a log describing who used the shared account, when it was used, and what it was used for. K : If the vendor is not willing or able to provide this log, the shared account will be removed and the vendor will be required to use individually identifiable accounts, obtained through the standard City of Boulder staff entry process for vendors. K : Agreement that in the event an employee who has access to the shared login is terminated, the vendor will notify City of Boulder and change the password within one hour of termination. 3. DISCIPLINARY ACTION Violation of this policy may result in disciplinary action, up to and including termination of access privileges. 4. CONSTRUCTION AND INTERPRETATION Partners/affiliates who have questions concerning possible conflict between their interests and those of the City, or the interpretation and application of any of these rules, should direct their inquiries to the City of Boulder IT Department. The IT Department may refer the matter to the Human Resources Director for advice, or to the City Manager for final resolution. 5. REVIEW AND REVISION This policy supersedes all previous policies covering the same or similar topics. At a minimum, this policy will be reviewed in its entirety on an annual basis by the City of Boulder IT policy review committee and updated as necessary. The policy review committee should include management stakeholders, cross-functional IT department members, and end-user representatives. Policy sections may be reviewed and changed any time at the discretion of the policy review committee. It is the policy review committee s responsibility to communicate any policy changes to the City of Boulder IT staff. CONNECTED PARTNER SECURITY POLICY PAGE 9 OF 9

Network and Workstation Acceptable Use Policy

Network and Workstation Acceptable Use Policy CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

The Internet and e-mail 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

The Internet and e-mail 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3 Table of Contents 1 Acceptable use 1 Violations 1 Administration 1 Director and Supervisor Responsibilities 1 MIS Director Responsibilities 1 The Internet and e-mail 2 Acceptable use 2 Unacceptable use

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

NETWORK SECURITY GUIDELINES

NETWORK SECURITY GUIDELINES NETWORK SECURITY GUIDELINES VIRUS PROTECTION STANDARDS All networked computers and networked laptop computers are protected by GST BOCES or district standard anti-virus protection software. The anti-virus

More information

CAPITAL UNIVERSITY PASSWORD POLICY

CAPITAL UNIVERSITY PASSWORD POLICY 1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

College of Education Computer Network Security Policy

College of Education Computer Network Security Policy Introduction The College of Education Network Security Policy provides the operational detail required for the successful implementation of a safe and efficient computer network environment for the College

More information

Document Control Policy & Procedure 15

Document Control Policy & Procedure 15 Bethany Care Ltd Document Control Policy & Procedure 15 Date Created 19/10/2007 Date Reviewed 12/02/2014 Document Review Details Reviewed by Brian Lynch (Quality Assurance) Date of next review February

More information

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY 1.0 Purpose The purpose of this policy is to establish Office of Human Resources (OHR) standards for creation of strong

More information

Network Security Policy

Network Security Policy KILMARNOCK COLLEGE Network Security Policy Policy Number: KC/QM/048 Date of First Issue: October 2009 Revision Number: 3 Date of Last Review: October 2011 Date of Approval \ Issue May 2012 Responsibility

More information

Sheridan College Institute of Technology and Advanced Learning Telephone and Computer Information Access Policy

Sheridan College Institute of Technology and Advanced Learning Telephone and Computer Information Access Policy Sheridan College Institute of Technology and Advanced Learning Telephone and Computer Information Access Policy Introduction This Telephone and Computer Information Access Policy (the "Policy") governs

More information

IT Security Standard: Remote Access to Bellevue College Systems

IT Security Standard: Remote Access to Bellevue College Systems IT Security Standard: Remote Access to Bellevue College Systems Introduction This standard defines the specific requirements for implementing Bellevue College policy # 5250: Information Technology (IT)

More information

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT Appendix A to 11-02-P1-NJOIT NJ OFFICE OF INFORMATION TECHNOLOGY P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT The Intent

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 AUDIENCE... 4 COMPLIANCE & ENFORCEMENT... 4 POLICY STATEMENTS... 5 1. General... 5 2. Authorized Users... 5 3. Loss and Theft... 5 4. Illegal

More information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative

More information

Boston University Security Awareness. What you need to know to keep information safe and secure

Boston University Security Awareness. What you need to know to keep information safe and secure What you need to know to keep information safe and secure Introduction Welcome to Boston University s Security Awareness training. Depending on your reading speed, this presentation will take approximately

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

ICT Password Protection Policy

ICT Password Protection Policy SH IG 30 Information Security Suite of Policies ICT Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This document describes the information security

More information

Incident Response Plan for PCI-DSS Compliance

Incident Response Plan for PCI-DSS Compliance Incident Response Plan for PCI-DSS Compliance City of Monroe, Georgia Information Technology Division Finance Department I. Policy The City of Monroe Information Technology Administrator is responsible

More information

Policy Title: HIPAA Security Awareness and Training

Policy Title: HIPAA Security Awareness and Training Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

Information Technology Acceptable Use Policy

Information Technology Acceptable Use Policy Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not

More information

DIOCESE OF DALLAS. Computer Internet Policy

DIOCESE OF DALLAS. Computer Internet Policy DIOCESE OF DALLAS Computer Internet Policy October 2012 Page 1 ROMAN CATHOLIC DIOCESE OF DALLAS COMPUTER SYSTEMS AND INTERNET USE POLICY Summary Definitions: 1. The term Communication(s) Assets as used

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

SAO Remote Access POLICY

SAO Remote Access POLICY SAO Remote Access POLICY Contents PURPOSE... 4 SCOPE... 4 POLICY... 4 AUTHORIZATION... 4 PERMITTED FORMS OF REMOTE ACCESS... 5 REMOTE ACCESS USER DEVICES... 5 OPTION ONE: SAO-OWNED PC... 5 OPTION TWO:

More information

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004) Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative

More information

Use of ESF Computing and Network Resources

Use of ESF Computing and Network Resources Use of ESF Computing and Network Resources Introduction: The electronic resources of the State University of New York College of Environmental Science and Forestry (ESF) are powerful tools, shared among

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE Directive Concerning the Colorado Judicial Department Electronic Communications Usage Policy: Technical, Security, And System Management Concerns This

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

State of Vermont. User Password Policy and Guidelines

State of Vermont. User Password Policy and Guidelines State of Vermont User Password Policy and Guidelines Date of Rewrite Approval: 10/2009 Originally Approved: 4/08/2005 Approved by: Neale F. Lunderville Policy Number: fib lleul~ 1.0 Introduction... 3 1.1

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY Antivirus Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Originator Recommended by Director

More information

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused. DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result

More information

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy I. PURPOSE To identify the requirements needed to comply with

More information

Password Policy 1. Purpose: 2. Scope: 3.Policy 3.1 Policy Statements

Password Policy 1. Purpose: 2. Scope: 3.Policy 3.1 Policy Statements Password Policy 1. Purpose: The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of the passwords. 2. Scope:

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

MCOLES Information and Tracking Network. Security Policy. Version 2.0

MCOLES Information and Tracking Network. Security Policy. Version 2.0 MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on

More information

Cal State Fullerton Account and Password Guidelines

Cal State Fullerton Account and Password Guidelines Cal State Fullerton Account and Password Guidelines Purpose The purpose of this guideline is to establish a standard for account use and creation of strong passwords which adheres to CSU policy and conforms

More information

Information Security Policy. Policy and Procedures

Information Security Policy. Policy and Procedures Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable

More information

Information Technology Acceptable Use Policies and Procedures

Information Technology Acceptable Use Policies and Procedures Information Technology Acceptable Use Policies and Procedures The following Information Technology Acceptable Use Policies and Procedures are to be followed by ALL employees, contractors, vendors, and

More information

Health and Human Services Enterprise Information Technology Security Training Resource Guide

Health and Human Services Enterprise Information Technology Security Training Resource Guide Health and Human Services Enterprise Information Technology Security Training Resource Guide Version 1.0 March 28, 2005 Table of Contents Section I Getting Started...1 Introduction... 1 Overview... 1 Information

More information

Wellesley College Written Information Security Program

Wellesley College Written Information Security Program Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as

More information

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER REMOTE ACCESS POLICY OCIO-6005-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III.

More information

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE 2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

JHSPH Acceptable Use Policy

JHSPH Acceptable Use Policy 1.0 Purpose JHSPH Acceptable Use Policy Use of the Johns Hopkins Bloomberg School of Public Health (JHSPH) information technology (IT) resources is a privilege that is extended to users for the purpose

More information

Ex Libris Group Password Management Policy

Ex Libris Group Password Management Policy Ex Libris Group Password Management Policy CONFIDENTIAL INFORMATION The information herein is the property of Ex Libris Ltd. or its affiliates and any misuse or abuse will result in economic loss. DO NOT

More information

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS TERMS OF SERVICE These terms of service and the documents referred to in them ( Terms ) govern your access to and use of our services, including our website teleportapp.co ( our site ), applications, buttons,

More information

Consensus Policy Resource Community. Lab Security Policy

Consensus Policy Resource Community. Lab Security Policy Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

User Accounts and Password Standard and Procedure

User Accounts and Password Standard and Procedure Office of the Vice President for Operations / CIO User Accounts and Password Standard and Procedure Issue Date: January 1, 2011 Information Security Office Effective Date: November 21, 2014 User Account

More information

Franciscan University of Steubenville Information Security Policy

Franciscan University of Steubenville Information Security Policy Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,

More information

Version: 2.0. Effective From: 28/11/2014

Version: 2.0. Effective From: 28/11/2014 Policy No: OP58 Version: 2.0 Name of Policy: Anti Virus Policy Effective From: 28/11/2014 Date Ratified 17/09/2014 Ratified Health Informatics Assurance Committee Review Date 01/09/2016 Sponsor Director

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING 6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information

More information

'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy

'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy Created: 2/18/2011 Page 1 of 8 'Namgis First Nation is hereinafter referred to as "the government." 1.0 Overview Though there are a number of reasons to provide a user network access, by far the most common

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

Automation Suite for. 201 CMR 17.00 Compliance

Automation Suite for. 201 CMR 17.00 Compliance WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually. April 23, 2014 Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually. What is it? Electronic Protected Health Information There are 18 specific

More information

New York State Office Of Children And Family Services VPN

New York State Office Of Children And Family Services VPN CLIENT VPN New York State Office Of Children & Family Services New York State Office of Children & Family Services (OCFS) Client Virtual Private Network (VPN) Access to the Human Services Enterprise Network

More information

Information Security Handbook for Employees

Information Security Handbook for Employees Information Security Handbook for Employees Providing our patients with excellence in healthcare includes protecting their information This handbook was prepared by Tom Walsh Consulting, LLC for the Kansas

More information

Implementation Guide

Implementation Guide Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein

More information

NETWORK INFRASTRUCTURE USE

NETWORK INFRASTRUCTURE USE NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and

More information

EMPLOYEE COMPUTER NETWORK AND INTERNET ACCEPTABLE USAGE POLICY

EMPLOYEE COMPUTER NETWORK AND INTERNET ACCEPTABLE USAGE POLICY EMPLOYEE COMPUTER NETWORK AND INTERNET ACCEPTABLE USAGE POLICY This is a statement of The New York Institute for Special Education s (NYISE s) policy related to employees Computer Network and Internet

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

USM IT Security Council Guide for Security Event Logging. Version 1.1

USM IT Security Council Guide for Security Event Logging. Version 1.1 USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate

More information

Lisbon School District 15 Newent Road Lisbon, CT 06351

Lisbon School District 15 Newent Road Lisbon, CT 06351 Pur pose The purpose of this policy is to establish direction, procedures, requirements, and responsibilities to ensure the appropriate protection of the Lisbon Public Schools computer and telecommunication

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

Information Technology Security Policies

Information Technology Security Policies Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral

More information

Hardware and Software Security

Hardware and Software Security Today, with the big advancement of technology and the need to share data globally at all time. Security has become one of the most important topics when we talk about data sharing. This means that the

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Technical Standards for Information Security Measures for the Central Government Computer Systems

Technical Standards for Information Security Measures for the Central Government Computer Systems Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 4 Policy Title: Information Security Incident Response January 26, 2016 IDENT INFOSEC4 Type of Document:

More information

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for

More information

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN FEBRUARY 2011 TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 INTRODUCTION... 4 SECTION 1: IT Security Policy... 5 SECTION 2: Risk Management

More information

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2 Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls

More information